lockbit | hxxp://185[.]215[.]113[.]101/file/LB3[.]exe

Analysis

max time kernel
50s
max time network
48s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://185.215.113.101/file/LB3.exe

Score

10^/10

lockbit defense_evasion discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\MNYHU2Jh1.README.txt

Ransom Note

~~~ LockBit 5.02 the world's fastest ransomware since 2024~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom BTC amount 0.02 BTC amount 0 , deleted all files from you PC, and post all infirmation to public. where send BTC: bc1qm7sg7p2jkgthv7pkjy856sh9lr5x3yrpzv099d Time just 12 hr, after everythink will be removed You can buy them on the exchange or at an ATM https://coinatmradar.com. You can find the addresses here buy with credit or debet card online https://www.moonpay.com/buy. After that, send a request with confirmation to e-mail , faster way! [email protected] or [email protected] If both email no answer, you need faster answer and unlock please use TOX You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, tox. Tox ID LockBitSupp: 47C90F99E92AC0ECEAD8C2BD15B21866EBC1195B6E2B0412CE3658E21B696843FF4A8D144B24

Emails

[email protected]

URLs

https://coinatmradar.com

https://www.moonpay.com/buy

https://tox.chat/download.html

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 27638.crdownload	family_lockbit

Renames multiple (323) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

B4F8.tmp

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation B4F8.tmp
Executes dropped EXE 5 IoCs

Processes:

LB3.exeLB3.exeB4F8.tmpLB3.exeLB3.exe

pid process

2740 LB3.exe
1156 LB3.exe
5348 B4F8.tmp
5828 LB3.exe
5892 LB3.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	B4F8.tmp

pid	process
2740	LB3.exe
1156	LB3.exe
5348	B4F8.tmp
5828	LB3.exe
5892	LB3.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

LB3.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini	LB3.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini	LB3.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

B4F8.tmp

pid process

5348 B4F8.tmp
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5348	B4F8.tmp

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

LB3.exeB4F8.tmpLB3.execmd.exeLB3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LB3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	B4F8.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LB3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LB3.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 9 IoCs

Processes:

LB3.exeLB3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MNYHU2Jh1\DefaultIcon	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MNYHU2Jh1\DefaultIcon\ = "C:\\ProgramData\\MNYHU2Jh1.ico"	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.MNYHU2Jh1\ = "MNYHU2Jh1"	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.MNYHU2Jh1	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MNYHU2Jh1	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.MNYHU2Jh1	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MNYHU2Jh1\DefaultIcon	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MNYHU2Jh1\DefaultIcon\ = "C:\\ProgramData\\MNYHU2Jh1.ico"	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.MNYHU2Jh1\ = "MNYHU2Jh1"	LB3.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 27638.crdownload:SmartScreen msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 27638.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exeLB3.exeLB3.exeLB3.exe

pid	process
4976	msedge.exe
4976	msedge.exe
216	msedge.exe
216	msedge.exe
2308	identity_helper.exe
2308	identity_helper.exe
3956	msedge.exe
3956	msedge.exe
2740	LB3.exe
2740	LB3.exe
1156	LB3.exe
1156	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
5892	LB3.exe
5892	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe
2740	LB3.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

216 msedge.exe
216 msedge.exe
216 msedge.exe
216 msedge.exe
216 msedge.exe
216 msedge.exe
216 msedge.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

Processes:

LB3.exeLB3.exeB4F8.tmpLB3.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	2740	LB3.exe
Token: SeBackupPrivilege	2740	LB3.exe
Token: SeDebugPrivilege	2740	LB3.exe
Token: 36	2740	LB3.exe
Token: SeImpersonatePrivilege	2740	LB3.exe
Token: SeIncBasePriorityPrivilege	2740	LB3.exe
Token: SeIncreaseQuotaPrivilege	2740	LB3.exe
Token: 33	2740	LB3.exe
Token: SeManageVolumePrivilege	2740	LB3.exe
Token: SeProfSingleProcessPrivilege	2740	LB3.exe
Token: SeRestorePrivilege	2740	LB3.exe
Token: SeSecurityPrivilege	2740	LB3.exe
Token: SeSystemProfilePrivilege	2740	LB3.exe
Token: SeTakeOwnershipPrivilege	2740	LB3.exe
Token: SeShutdownPrivilege	2740	LB3.exe
Token: SeAssignPrimaryTokenPrivilege	1156	LB3.exe
Token: SeBackupPrivilege	1156	LB3.exe
Token: SeDebugPrivilege	1156	LB3.exe
Token: 36	1156	LB3.exe
Token: SeImpersonatePrivilege	1156	LB3.exe
Token: SeIncBasePriorityPrivilege	1156	LB3.exe
Token: SeIncreaseQuotaPrivilege	1156	LB3.exe
Token: 33	1156	LB3.exe
Token: SeManageVolumePrivilege	1156	LB3.exe
Token: SeProfSingleProcessPrivilege	1156	LB3.exe
Token: SeRestorePrivilege	1156	LB3.exe
Token: SeSecurityPrivilege	1156	LB3.exe
Token: SeSystemProfilePrivilege	1156	LB3.exe
Token: SeTakeOwnershipPrivilege	1156	LB3.exe
Token: SeShutdownPrivilege	1156	LB3.exe
Token: SeDebugPrivilege	2740	LB3.exe
Token: SeBackupPrivilege	5348	B4F8.tmp
Token: SeRestorePrivilege	5348	B4F8.tmp
Token: SeIncBasePriorityPrivilege	5348	B4F8.tmp
Token: 33	5348	B4F8.tmp
Token: SeManageVolumePrivilege	5348	B4F8.tmp
Token: SeSecurityPrivilege	5348	B4F8.tmp
Token: SeShutdownPrivilege	5348	B4F8.tmp
Token: SeSystemProfilePrivilege	5348	B4F8.tmp
Token: SeTakeOwnershipPrivilege	5348	B4F8.tmp
Token: SeAssignPrimaryTokenPrivilege	5892	LB3.exe
Token: SeBackupPrivilege	5892	LB3.exe
Token: SeDebugPrivilege	5892	LB3.exe
Token: 36	5892	LB3.exe
Token: SeImpersonatePrivilege	5892	LB3.exe
Token: SeIncBasePriorityPrivilege	5892	LB3.exe
Token: SeIncreaseQuotaPrivilege	5892	LB3.exe
Token: 33	5892	LB3.exe
Token: SeManageVolumePrivilege	5892	LB3.exe
Token: SeProfSingleProcessPrivilege	5892	LB3.exe
Token: SeRestorePrivilege	5892	LB3.exe
Token: SeSecurityPrivilege	5892	LB3.exe
Token: SeSystemProfilePrivilege	5892	LB3.exe
Token: SeTakeOwnershipPrivilege	5892	LB3.exe
Token: SeShutdownPrivilege	5892	LB3.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe

pid	process
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 216 wrote to memory of 2696	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2696	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 2520	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 4976	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 4976	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 3112	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 3112	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 3112	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 3112	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 3112	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 3112	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 3112	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 3112	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 3112	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 3112	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 3112	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 3112	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 3112	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 3112	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 3112	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 3112	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 3112	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 3112	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 3112	216	msedge.exe	msedge.exe
PID 216 wrote to memory of 3112	216	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://185.215.113.101/file/LB3.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff553246f8,0x7fff55324708,0x7fff55324718
  2⤵
  PID:2696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,11383752944437017368,11059649731453085801,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,11383752944437017368,11059649731453085801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,11383752944437017368,11059649731453085801,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:8
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11383752944437017368,11059649731453085801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11383752944437017368,11059649731453085801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,11383752944437017368,11059649731453085801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,11383752944437017368,11059649731453085801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2160,11383752944437017368,11059649731453085801,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11383752944437017368,11059649731453085801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11383752944437017368,11059649731453085801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11383752944437017368,11059649731453085801,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2160,11383752944437017368,11059649731453085801,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  PID:3836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11383752944437017368,11059649731453085801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11383752944437017368,11059649731453085801,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,11383752944437017368,11059649731453085801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5812 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3956
- C:\Users\Admin\Downloads\LB3.exe
  "C:\Users\Admin\Downloads\LB3.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Users\Admin\Downloads\LB3.exe
  "C:\Users\Admin\Downloads\LB3.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1156
- - C:\ProgramData\B4F8.tmp
    "C:\ProgramData\B4F8.tmp"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5348
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\B4F8.tmp >> NUL
      4⤵
      System Location Discovery: System Language Discovery
      PID:6040
- C:\Users\Admin\Downloads\LB3.exe
  "C:\Users\Admin\Downloads\LB3.exe"
  2⤵
  - Executes dropped EXE
  PID:5828
- C:\Users\Admin\Downloads\LB3.exe
  "C:\Users\Admin\Downloads\LB3.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2504

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4516

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-493223053-2004649691-1575712786-1000\UUUUUUUUUUU

Filesize
129B

MD5
0ecaf141cd6cf25915b0adb03f6c55cf

SHA1
1de805a60f5f279c6f4dfe26aba7d24639084991

SHA256
9b12776a5fdc74eeacb3a041294ce87a9cd6dd055afdf1c58a8424c2c9568fd6

SHA512
4fc7af077d52e798ed34706eae0f6884d92666908ecc44f618bef00fa45797ae5c75a7cf81f2ef7616b52a1192bc0feeda75e16ad20167add63653bc478fd9c0

Download Submit
C:\MNYHU2Jh1.README.txt

Filesize
1KB

MD5
70f8acf921f004784b21982bdfb5fb9b

SHA1
a5fe82b54b1da9425c680e04ac9a0ea88ff4a225

SHA256
497cdf0c2b83ff7b52d2b0e06985a0dd70746291f1c7fef1dd191e286a8f71f4

SHA512
04c76d374ac49c6c6d72fd00c0bafe0bb50ab98f8e2e954f32c575720df623d1e1103954475e9a36a79de7820627ef5170d00ac1d768038e50ad1e4e80313084

Download Submit
C:\ProgramData\B4F8.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\ProgramData\MNYHU2Jh1.ico

Filesize
14KB

MD5
88d9337c4c9cfe2d9aff8a2c718ec76b

SHA1
ce9f87183a1148816a1f777ba60a08ef5ca0d203

SHA256
95e059ef72686460884b9aea5c292c22917f75d56fe737d43be440f82034f438

SHA512
abafea8ca4e85f47befb5aa3efee9eee699ea87786faff39ee712ae498438d19a06bb31289643b620cb8203555ea4e2b546ef2f10d3f0087733bc0ceaccbeafd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2d56d2d920416e176f34d2f08ec52650

SHA1
a7255d7075d0da6c0cbd3357e81536c8fe2917ca

SHA256
87a009988f6061144dd53dfc2fcc133264012663be2d3825064608a76acb087c

SHA512
3fd269d388edc6bff5471e64e37d5a58fcf760397b5cc3093c475f4d42cd2d1242b89b264104ef6749997da7af9e12a7fe22f90d22e9145ac33d2b36a2e21537

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
36245097db55397d6470e1c110bcdadb

SHA1
f82bdd8f45f577d3cd02c52874cf29c59c18c873

SHA256
f3ac745b940081107785aea107c48f7da9d36604547f9e0a550e6081b9d36f87

SHA512
e4d7aba7754ba2d2e5379e28943b3d224b92b97717649d26758dbfd39338d4a2e17517fd81649ab5fdc92217f5335684d7cb1fc78b21df4d2c86e9bbd8b8a391

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bb36b2ba5078548316ba1bf7d2e6127d

SHA1
644ffe113b14c7cb11efb577da72568e373dcff6

SHA256
8acd62d53c47105e82960f89cba7c99e89ad1ba63ab0dce2bfeb5effbda30a9c

SHA512
da38982bab607540d77ca840c06acf81ac266f6b8e96071627983d55ddccbb5b7de6f2c558a7716860d09c19dec9abf1b46cba32069708390478caf5c769add7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
76ea1af31540b51910a30f8f29fbbe03

SHA1
f7dff58f879c3d18a86dde32da71d93b36713600

SHA256
788a2a69749d4d5768de47bbd0842306784ab69df4bbe14bce98d00ed3b67e1b

SHA512
85c96095889cbfd8f540effdaa62e627bd4d40b0f7a685ea6f80147d7e2d3da022a08d7056f902d58b20468a821ee2a9a5b6b02e26da5b087f46cb9cefac4ff4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
63964f0795ee26339e5d361e0f922f19

SHA1
e01172c08975891de825066e07ed7e787274a4a8

SHA256
824fa37aca4c30ce274aed0501dcd7cbab160f1d517dd67aacd866199ffbf4b6

SHA512
395c7a0d92dbb946ea745b5116cda8c58f334ac59b3e627354704cc15c48fcb3f406eb482dad8a9252194578c1df5842d9af54c1710edd4375f9fbf3dbf895b5

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 27638.crdownload

Filesize
147KB

MD5
5820e728cfad98d8673d29448c58c7d5

SHA1
cfe71685fd09fd14d2d2faa8618b2559438a8b1e

SHA256
5ccc9cb2e75c85b87f7244cca81c1acf6dfffe8f35a8c4d0ee00795872a9c9e7

SHA512
28ce7d774bd528a83e18fadf74e2826ae99031909e0907c83278604ba72a299942436721443ead9820a7e6bbc1f07c2e325886d316ed529fd12946c20e6cb9d4

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-493223053-2004649691-1575712786-1000\DDDDDDDDDDD

Filesize
129B

MD5
e9aa6cc9877ad8fef84226e436de677a

SHA1
c32c693defbc36af5fbecff1b84196f5ca53c631

SHA256
25fb1864db6a213540a237611f342f5769a573a2428bb90e7db60e3a7b21ad99

SHA512
4227d9ea3a9152f0c34d3490436978f96075e3106b32e938c390418cfa04f20bfb4f0acd3fbc270e9205c5cac38aea2ef6f5ef424bc1eb54b2a5f86f45d6b5fa

Download Submit
\??\pipe\LOCAL\crashpad_216_KIZUUFJNPHCQDVUZ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit